General

  • Target

    367b98e57ecd670c26adc70817e8881a8a08f4ff72fdcbe6200d6af2d4f42615

  • Size

    349KB

  • Sample

    240417-qn7eyaah7z

  • MD5

    daf75eeb4f4ab7e572628c82d5ae2355

  • SHA1

    5f98f24f4c2cfadb0be5a18b37cffcdac6cd15a4

  • SHA256

    367b98e57ecd670c26adc70817e8881a8a08f4ff72fdcbe6200d6af2d4f42615

  • SHA512

    ad22918c00c1e05095e15b173fc9f90d6cf1fe342e297080251f2584df238b2f29c74da4b7c0c9eefdb8a68c612b5ee689ddfa781973271b4112b0a006320f1d

  • SSDEEP

    6144:UBCuhg+nECobW97rQC2OzhpFmiClbM+fTRb+vph7H7F6IQW5eGy/P1/J7WTYbcVP:YCvWV3zJmRFtb+vnHx65W5ePFJ7WkbHa

Malware Config

Targets

    • Target

      540a78159878e8c97bb15530b7a1959b3f5b407f2adbf3ffded92daf51fc24bf.exe

    • Size

      400KB

    • MD5

      d4c4a4bf3c17233602b19d95e47eedbb

    • SHA1

      5c9aa3597de084e9e254f367a732645d94d7f6e4

    • SHA256

      540a78159878e8c97bb15530b7a1959b3f5b407f2adbf3ffded92daf51fc24bf

    • SHA512

      189fcbd4b13dfcc180848333045fa1811c8dc6d8ff97f6d0e83a60d53820c47040a57c3a189cf68afed7c005b446d95dc06a029368eca69d300db28b21ae07c2

    • SSDEEP

      12288:/ApIoOIoR6fitS4wSTVi1e5hqdkuS1ibM2Y:mIoOIoR66tSh1mukib9Y

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • UAC bypass

    • Windows security bypass

    • Modifies boot configuration data using bcdedit

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks